Skip to content

Support more complex SANs in verify_certificate_identity#325

Draft
alexjfisher wants to merge 2 commits intojruby:masterfrom
alexjfisher:subject_alt_names_fix
Draft

Support more complex SANs in verify_certificate_identity#325
alexjfisher wants to merge 2 commits intojruby:masterfrom
alexjfisher:subject_alt_names_fix

Conversation

@alexjfisher
Copy link

@alexjfisher alexjfisher commented Jan 3, 2025

Not sure if this is the right approach, but I'll put it up for discussion anyway. :)

Fixes #324

@alexjfisher
Add failing test for verify_certificate_identity
665bf7e 
This certificate and key is loaded from a fixtures file as I couldn't work out
how to create an example programatically.

The certificate has a `subjectAltName` extension with an `otherName` entry.

`verify_certificate_identity` fails because it parses the string representation
of `subjectAltName` with a simple regex expecting entries in the sequence to be
comma separated only.
@alexjfisher
Replace verify_certificate_identity method with upstream version
036c5e9 
Instead of using the fragile regex, decode the `subjectAltName` sequence
with `OpenSSL::ASN1.decode`.

This is slightly different to the MRI ruby implementation as `san.value` didn't
contain the raw string in jruby, but a single element Array of `OctetString`
instead.
alexjfisher
alexjfisher commented Jan 3, 2025
View reviewed changes
lib/openssl/ssl.rb
# MRI 2.2.3 (JRuby parses ASN.1 differently)
#when 7 # iPAddress in GeneralName (RFC5280)
elsif /\AIP(?: Address)?:(.*)/ =~ general_name
return true if verify_hostname(hostname, san.value.last.value)
Copy link
Author

@alexjfisher alexjfisher Jan 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In ruby-openssl this was verify_hostname(hostname, san.value), but I've had to add .last.value to get this to work here, as I'm getting a single element Array returned instead of a plain string. Maybe this isn't the right solution though. Should san.value instead return the exact same thing across both implementations?? I've not worked out where this is done though, and maybe it'd break loads of other things...

alexjfisher
alexjfisher commented Jan 3, 2025
View reviewed changes
lib/openssl/ssl.rb
# rescue IPAddr::InvalidAddressError
# end
# end
if san.value.last.value.size == 4 || san.value.last.value.size == 16
Copy link
Author

@alexjfisher alexjfisher Jan 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here. san.value is changed to san.value.last.value

alexjfisher
alexjfisher commented Jan 3, 2025
View reviewed changes
src/test/ruby/ssl/fixtures/othername_cert/othername.cnf
@@ -0,0 +1,15 @@
[ req ]
Copy link
Author

@alexjfisher alexjfisher Jan 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I couldn't work out how to generate a test certificate with the otherName extension programatically, so used openssl on the command line with this config file.

openssl req -newkey rsa:2048 -nodes -x509 -days 36500 -keyout othername.key -out othername.crt -config othername.cnf -extensions req_ext

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

verify_certificate_identity fails when subjectAltName includes otherName

1 participant

@alexjfisher